Hi,
I am using the latest versions of Logstash and a 4 node Elasticsearch cluster. I recently attended the ELK training in Manchester and my new Logstash setup happily puts data into my test single node Elasticsearch that I used in the class. The test Logstash from the class has the same problem as my new setup.

The two are communicating because for every line of log, ES creates 4 fields of data similar to the following.

The only thing I can think of that are a bit different are that the 4 nodes have been upgraded through several versions of ES, We also have the couchbase plugin installed and we have at least one of our indexes locked so that they mapping cannot be changed.

Any suggestions on how to sort this one out would be gratefully appreciated as my forehead is getting very sore now.